b"NEA OIG Report\nNo. R-13-03\n\x0c                                   National Endowment for the Arts\n                                                  Evaluation Report\n\n\n                                                  Table of Contents\n\nResults of Evaluation .................................................................................... 1\n\nAreas for Improvement ................................................................................ 2\n   Area for Improvement 1: The agency should implement ongoing scanning to detect\n   vulnerabilities.................................................................................................................. 2\n\n   Area for Improvement 2: The agency should remediate current webserver\n   vulnerabilities.................................................................................................................. 3\n\nExit Conference............................................................................................. 4\n\nScope and Methodology ............................................................................... 4\n\n\n\n\n                                                               -i-\n\x0c                        National Endowment for the Arts\n                                   Evaluation Report\n\n\n                              Results of Evaluation\nThe purpose of this evaluation was to answer the question:\n\n       Is the NEA network's perimeter defense effective?\n\nYes. The NEA network\xe2\x80\x99s perimeter defense is effective.\n\nA penetration test is an attempt to breach a network and gain unauthorized access to its\nresources. On November 4, 2012, we conducted a penetration test of the NEA network\nusing public information. Our search for public information on the NEA network servers\nidentified one potential targets, and the office of CIO provided its network range of 64 IP\naddresses to limit the scope of the scan so it did not impact non-NEA equipment. We\nused software to detect servers and their listening service ports, and then we scanned\nthese servers for vulnerabilities.\n\nThe NEA\xe2\x80\x99s computer network, the NEA network, has over 200 systems, consisting of\nservers, desktops, laptops, printers, phones, and network infrastructure devices. Every\ncomputer is connected to the network with a unique IP (Internet Protocol) address. For\nexample, a desktop PC on the NEA network might have an address like 192.168.50.40. A\ntypical Windows PC could have more than 20 listening ports. Each port serves a\nfunction; for instance, an Internet browser connects to port 80 to request web pages from\na server, and email servers use port 25 to transfer messages. It would be normal for a\nnetwork of 200 systems to present 4,000 listening ports, all potential targets for attack.\n\nThe goal of perimeter defense is to minimize the number of exposed ports, known as the\n\xe2\x80\x9cattack surface.\xe2\x80\x9d A network with no open ports is not a network: open ports are required\nto communicate. Devices such as firewalls are configured to limit the number of ports\nexposed to the Internet, and newer technologies such as Intrusion Detection and\nProtection Systems (IDPS) can provide additional protection.\n\nSeveral effective characteristics of the NEA network\xe2\x80\x99s perimeter defense include the\nfollowing:\n\n   x   The NEA network\xe2\x80\x99s firewalls effectively limit the exposure of internal systems to\n       the Internet. Inside the NEA network, 5,000 or more service ports might be\n       actively listening and responding to requests. From the Internet, only 7 systems\n       and 8 ports were discovered in our scan of the NEA network.\n   x   The listening services we identified all seemed to be functions necessary for the\n       NEA to conduct business. We did not find any instances of services that should\n       not have been exposed to the Internet.\n   x   We were unable to exploit the systems found to gain unauthorized access to the\n       NEA network.\n\n\n                                           -1-\n\x0c                        National Endowment for the Arts\n                                  Evaluation Report\n\n\nIn summary, the NEA network\xe2\x80\x99s perimeter defense effectively prevented our intrusion\nattempts.\n\nAn effective perimeter defense is a significant component of a complete network security\nprogram. An attacker can exploit a network in a number of ways. In general, she can\nattack the network perimeter as we did, or she can bypass the perimeter by tricking a user\ninto letting her in. Means of accomplishing this could be as simple as having a user open\na malicious email or visit an infected website, or by leaving an infected USB drive to be\nfound by an employee near the front door of the building. While the NEA network\xe2\x80\x99s\ncurrent perimeter defense is effective, continuous attention and improvement are required\nto ensure that it remains effective in the future.\n\nOur penetration testing did reveal two potential areas for improvement: the agency should\nimplement ongoing scanning to detect vulnerabilities, and it should remediate current\nwebserver vulnerabilities. These areas for improvement are detailed below.\n\n\n\n                            Areas for Improvement\n\n                            Area for Improvement 1:\n      The agency should implement ongoing scanning to detect vulnerabilities.\n\n\nNetworks and their systems evolve over time, either deliberately or by chance. Secure\nsystems installed today will become insecure over time due to newly discovered\nvulnerabilities in their underlying operating system or application software. Furthermore,\nany time changes are made to the existing environment, vulnerabilities can be\ninadvertently introduced. The best means of mediating this risk is through vulnerability\nscanning, on both a periodic basis and on-demand any time a change is made to the\nenvironment.\n\nEven though it is licensed to use software that can perform vulnerability scanning of its\nperimeter, the NEA is not currently performing this function. The penetration test we\nperformed as part of this evaluation found several potential vulnerabilities. Because\nprevious tests were not performed, it was not known how long these systems had been\nvulnerable. The longer systems remain vulnerable, the more likely it is that they will be\nexploited. Regular testing would have identified these vulnerabilities and enabled timely\nremediation.\n\nIn order to execute the mission of the agency, senior management must remain informed\nof risks to their underlying systems. Regular perimeter scans are a critical source of\ninformation describing risks to an agency\xe2\x80\x99s information systems.\n\n                                           -2-\n\x0c                        National Endowment for the Arts\n                                   Evaluation Report\n\n\nRecommendation 1: Perform scheduled, routine scanning of the perimeter on at least a\nmonthly basis.\n\nRecommendation 2: Perform perimeter scans after new hardware or software is\nintroduced to the NEA perimeter network.\n\n\n\n\n                             Area for Improvement 2:\n           The agency should remediate current webserver vulnerabilities.\n\n\nThe penetration test we performed identified several potential vulnerabilities in the\nagency\xe2\x80\x99s webservers. We were unable to exploit them using the tools and methods\nwithin our scope of testing, but a determined attacker could use these vulnerabilities to\nexploit the NEA\xe2\x80\x99s systems.\n\nWe identified four types of vulnerabilities affecting four of the agency\xe2\x80\x99s internet-facing\nservers. Two are specific to the types and configuration of vendor software, which were\nan obsolete and vulnerable version of Apache software, and weak (easily broken)\nencryption methods. An upgrade to a newer version of Apache would resolve the first\nissue, and a relatively simple configuration change would resolve the second.\n\nThe remaining two types of vulnerabilities are specific to the custom software\napplications providing website services. These affect two systems, and are known as\n\xe2\x80\x9cCross-Site Scripting\xe2\x80\x9d and \xe2\x80\x9cSQL Injection\xe2\x80\x9d vulnerabilities.\n\nCross-Site Scripting (XSS) vulnerabilities can be used to redirect users of a website to a\ndifferent website without their knowledge or permission. A recent higher-profile\nexample includes the exploit in November, 2012 of the Yahoo email service, which\nresulted in account breaches and the proliferation of spam.\n\nThe SQL Injection vulnerabilities found indicates that it may be possible for an external\nattacker to change the behavior of the application to directly access or possibly modify\nthe internal NEA database supporting the application. This type of vulnerability is\nfrequently used to modify a once-legitimate website to sell male enhancement drugs,\nembarrassing the owners of the website. Firms that store private data such as passwords\nor credit card numbers are at significant financial risk from these types of attacks.\n\nThe NEA has a responsibility to control access to its data, and to protect users of its\npublic websites from malicious activity. It is possible to improve security by\nreconfiguring the existing webservers to remediate the issues found in the perimeter scan.\n\n\n\n                                            -3-\n\x0c                       National Endowment for the Arts\n                                 Evaluation Report\n\n\nRecommendation 3: Upgrade vulnerable software to current, secure versions.\n\nRecommendation 4: Upgrade encrypted websites to current standards.\n\nRecommendation 5: Remediate known Cross-Site Scripting vulnerabilities.\n\nRecommendation 6: Remediate known SQL Injection vulnerabilities.\n\nRecommendation 7: Perform routine maintenance to identify and remediate\nvulnerabilities affecting public websites.\n\n\n\n                                Exit Conference\nAn exit conference was held with ITM officials on February 11, 2013. ITM officials\nconcurred with our findings and recommendations.\n\n\n\n                   Objective, Scope and Methodology\nObjective:\n       Is the NEA network's perimeter defense effective?\n\nScope:\n       This Evaluation will include all externally available wired nodes on The NEA\n       network. The device list shall include but is not limited to all servers,\n       workstations, routers, email gateways and firewalls. The access types attempted\n       will include login attempts for the purposes of information gathering, privilege\n       escalation, and establishment of jumping points to other areas of The NEA\n       network infrastructure.\n\n\nMethodology:\n\n   1. From an unfiltered IP address, perform unauthenticated network and device\n      discovery using a toolset to include but not limited to Nessus, Wireshark, and\n      other applications within the BackTrack tool suite.\n   2. Review and analyze protocol encryption types, as applicable.\n   3. Perform automated and manual login attacks using Hydra and/or other tools.\n   4. Analyze privilege capabilities if successful login is achieved.\n\n                                          -4-\n\x0c\x0c"